Suricata 4.1.6

[dougburks]

https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/

[dougburks]

I've packaged Suricata 4.1.6 and the following package is now available at ppa:securityonion/test:

securityonion-suricata - 4.1.6-1ubuntu1securityonion2

Please test/verify as follows:

• start with a 16.04 box with all stable updates applied

• run through Setup, choosing Production Mode, Standalone, Best Practices, and Suricata

• snapshot the VM if possible

• add the test PPA:

  sudo add-apt-repository -y ppa:securityonion/test

• install all updates:

  sudo soup -y

• the Suricata package should back up your existing suricata.yaml, migrate your HOME_NET and EXTERNAL_NET variables, and tell you that you need to run sudo rule-update

• PLEASE NOTE! suricata.yaml has recently changed SIGNIFICANTLY. Please sanity-check all options in suricata.yaml.

• if necessary, manually update the new suricata.yaml for your environment

• update rules:

  sudo rule-update

• verify the new version number:

  suricata -V

• run through your normal testing in as many different combinations as possible: PF_RING vs AF_PACKET single worker vs multiple workers Please note that AF_PACKET load balancing doesn't appear to work properly when tcpreplay is run on the same box as Suricata. AF_PACKET load balancing should work correctly when connected to a live tap or span port. Alternatively, if you're testing in a VM, you can run tcpreplay on another VM connected to the same virtual network as your Suricata VM.

• check sostat output for anything out of the ordinary (specifically, check the pf_ring and Suricata sections for packet loss)

• check log files for any warnings/errors out of the ordinary

• reboot and make sure everything still works properly

• re-run Setup and make sure everything still works properly

• anything else I missed?

Thanks in advance for your time and effort!

[Ucnt]

tl;dr upgrade was successful.

• Started from a 16.04.6.2 ISO install on ESXi with 2 x port mirror interfaces at a branch office.
• Went through initial install steps and setup, adding PPA
• sudo soup -y
  • Did get note to review yaml and run rule-update
  • Updated to 4.1.6.
  • Carried over HOME_NET variables ** During one test, I set "set-cpu-affinity" to yes prior to update. The update reverted that to "no". Not sure if that's as intended.
• No dropped packets reported (~10 min run time) and no odd logs
• Rebooted and everything came up, Kibana and squert showed logs/alerts
• Re-ran setup and everything came back up with 4.1.6
• Still no packets dropped.
• Running af-packet by default, with no cpu affinity

Still need to do additional testing and let it bake in but so far so good!

[weslambert]

No issues during my testing. @Ucnt we don't currently migrate settings for cpu affinity or eve.json (etc.), however, we may consider doing so in the future.

Thanks, Wes

[dougburks]

Thanks @Ucnt and @weslambert !

Published: https://blog.securityonion.net/2019/12/suricata-416-now-available-for-security.html